Solved

UDP Syslog Traffic versus Raw Network Capture

Posted on 2013-12-20
3
489 Views
Last Modified: 2013-12-22
I have a diagram where there is a line of  UDP syslog traffic flowing from a switch to a web security device and another line extending from the switch to a live-human monitoring station.
What is the difference between UDP syslog traffic and raw network traffic?
0
Comment
Question by:brothertruffle880
3 Comments
 
LVL 22

Accepted Solution

by:
eeRoot earned 167 total points
ID: 39733251
Depends on how the capture tools have been configured.  But generally speaking, syslog servers will show a log of events (alerts, informational, debugging, etc) while monitoring network traffic shows every packet that goes across your network.  Network monitors (such a spanned/mirrored ports or hardware tabs) show much more info, but it can be too much info sometimes.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 167 total points
ID: 39733284
Log vs packets. The traffic payload details are mostly found in packet or raw traffic while the syslog would have normalised and surface the events depending how device source is configured. Syslog is at max based on rfc 5424 (http://tools.ietf.org/html/rfc5424) at 2048bytes. Packet capture has much larger size storage needed, e.g. it can be est 32 MB file saved every 15 minutes

Specifically the raw syslog data can be substantial depending on typical severity level that is set e.g. level (0 to 7): emergencies (0), alerts (1), critical (2), errors (3), warnings (4), notifications (5), informational (6), or debugging (7). The higher the level, the more messages (and types of messages) that are generated.

You tend to pipe the SPAN port of switch which carries the same raw traffic to further analysis such as AV scan, content filter, breach detection system passive inline deployed. in other words with raw packet traffic you can do more but with log you only get what the source wanted you to see. SIEMS  is mostly the reason for having centralised logging of all syslog piped to it.

While there are no strict guidelines pertaining to the log format, most syslog messages are generated in human-readable form with the assumption that capable administrators should be able to read them and understand their meaning.  Note that standard syslog protocol does not have mechanisms to provide confidentiality for the messages in transit. In most cases, passing clear-text messages is a benefit to the operations staff as compared to the raw packets from the wire.  The operations staff may be able to read the messages and associate them with other events seen from other packets crossing the wire to track down and correct problems.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 166 total points
ID: 39733582
One way to think of the difference between syslog data and raw network traffic is the difference between a MS Word Document and a file.  

While a MS Word Document and a MS Excel Spread sheet are both files, what make them differnet/unique is the content within the file.  So MS Word document is a subset of "files."

Syslog data is really a subset of "raw network data."

As the others have posted, my guess in your case, the "raw network data" is a result of port mirroring (either using SPAN or RSPAN or something like that) vs. a connection that is setup to send traffic to a syslog server.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now